fix: new es testing (#1411)

* fix: org tests * fix: org tests * fix: user grant test * fix: user grant test * fix: project and project role test * fix: project grant test * fix: project grant test * fix: project member, grant member, app changed tests * fix: application tests * fix: application tests * fix: add oidc app test * fix: add oidc app test * fix: add api keys test * fix: iam policies * fix: iam and org member tests * fix: clock skew validation * revert crypto changes * fix: tests * fix project grant member commands Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-12-01 12:32:20 +00:00 · 2021-03-15 12:51:15 +01:00
parent e9eb5b7848
commit 2bd255106a
72 changed files with 14134 additions and 230 deletions
--- a/internal/domain/application_api.go
+++ b/internal/domain/application_api.go
@@ -34,7 +34,7 @@ const (
 )

 func (a *APIApp) IsValid() bool {
-	return true
+	return a.AppName != ""
 }

 func (a *APIApp) setClientID(clientID string) {
--- a/internal/domain/application_oidc.go
+++ b/internal/domain/application_oidc.go
@@ -113,6 +113,9 @@ const (
 )

 func (a *OIDCApp) IsValid() bool {
+	if a.AppName == "" || a.ClockSkew > time.Second*5 || a.ClockSkew < time.Second*0 {
+		return false
+	}
 	grantTypes := a.getRequiredGrantTypes()
 	for _, grantType := range grantTypes {
 		ok := containsOIDCGrantType(a.GrantTypes, grantType)
--- a/internal/domain/application_oidc_test.go
+++ b/internal/domain/application_oidc_test.go
@@ -0,0 +1,185 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"testing"
+	"time"
+)
+
+func TestApplicationValid(t *testing.T) {
+	type args struct {
+		app *OIDCApp
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "no app name",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				},
+			},
+			result: false,
+		},
+		{
+			name: "invalid clock skew",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "AppName",
+					ClockSkew:     time.Minute * 1,
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				},
+			},
+			result: false,
+		},
+		{
+			name: "invalid clock skew minus",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "AppName",
+					ClockSkew:     time.Minute * -1,
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				},
+			},
+			result: false,
+		},
+		{
+			name: "valid oidc application: responsetype code",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				},
+			},
+			result: true,
+		},
+		{
+			name: "invalid oidc application: responsetype code",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeImplicit},
+				},
+			},
+			result: false,
+		},
+		{
+			name: "valid oidc application: responsetype id_token",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeImplicit},
+				},
+			},
+			result: true,
+		},
+		{
+			name: "invalid oidc application: responsetype id_token",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				},
+			},
+			result: false,
+		},
+		{
+			name: "valid oidc application: responsetype token_id_token",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDTokenToken},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeImplicit},
+				},
+			},
+			result: true,
+		},
+		{
+			name: "invalid oidc application: responsetype token_id_token",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDTokenToken},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				},
+			},
+			result: false,
+		},
+		{
+			name: "valid oidc application: responsetype code & id_token",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+				},
+			},
+			result: true,
+		},
+		{
+			name: "valid oidc application: responsetype code & token_id_token",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDTokenToken},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+				},
+			},
+			result: true,
+		},
+		{
+			name: "valid oidc application: responsetype code & id_token & token_id_token",
+			args: args{
+				app: &OIDCApp{
+					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
+					AppID:         "AppID",
+					AppName:       "Name",
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
+					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+				},
+			},
+			result: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.args.app.IsValid()
+			if result != tt.result {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
--- a/internal/domain/member.go
+++ b/internal/domain/member.go
@@ -25,6 +25,10 @@ func (i *Member) IsValid() bool {
 	return i.AggregateID != "" && i.UserID != "" && len(i.Roles) != 0
 }

+func (i *Member) IsIAMValid() bool {
+	return i.UserID != "" && len(i.Roles) != 0
+}
+
 type MemberState int32

 const (
--- a/internal/domain/policy_label.go
+++ b/internal/domain/policy_label.go
@@ -11,3 +11,7 @@ type LabelPolicy struct {
 	PrimaryColor   string
 	SecondaryColor string
 }
+
+func (p *LabelPolicy) IsValid() bool {
+	return p.PrimaryColor != "" && p.SecondaryColor != ""
+}
--- a/internal/domain/project.go
+++ b/internal/domain/project.go
@@ -7,12 +7,8 @@ import (
 type Project struct {
 	models.ObjectRoot

-	State   ProjectState
-	Name    string
-	Members []*Member
-	Roles   []*ProjectRole
-	//Applications         []*Application
-	//Grants               []*ProjectGrant
+	State                ProjectState
+	Name                 string
 	ProjectRoleAssertion bool
 	ProjectRoleCheck     bool
 }
--- a/internal/domain/project_grant.go
+++ b/internal/domain/project_grant.go
@@ -29,21 +29,21 @@ func (p *ProjectGrant) IsValid() bool {
 	return p.GrantedOrgID != ""
 }

-func GetRemovedRoles(existingRoles, newRoles []string) []string {
-	removed := make([]string, 0)
-	for _, role := range existingRoles {
-		if !containsKey(newRoles, role) {
-			removed = append(removed, role)
-		}
-	}
-	return removed
-}
-
-func containsKey(roles []string, key string) bool {
-	for _, role := range roles {
-		if role == key {
+func (g *ProjectGrant) HasInvalidRoles(validRoles []string) bool {
+	for _, roleKey := range g.RoleKeys {
+		if !containsRoleKey(roleKey, validRoles) {
 			return true
 		}
 	}
 	return false
 }
+
+func GetRemovedRoles(existingRoles, newRoles []string) []string {
+	removed := make([]string, 0)
+	for _, role := range existingRoles {
+		if !containsRoleKey(role, newRoles) {
+			removed = append(removed, role)
+		}
+	}
+	return removed
+}
--- a/internal/domain/project_role.go
+++ b/internal/domain/project_role.go
@@ -27,3 +27,12 @@ func NewProjectRole(projectID, key string) *ProjectRole {
 func (p *ProjectRole) IsValid() bool {
 	return p.AggregateID != "" && p.Key != ""
 }
+
+func containsRoleKey(roleKey string, validRoles []string) bool {
+	for _, validRole := range validRoles {
+		if roleKey == validRole {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/domain/user_grant.go
+++ b/internal/domain/user_grant.go
@@ -24,3 +24,12 @@ const (
 func (u *UserGrant) IsValid() bool {
 	return u.ProjectID != "" && u.UserID != ""
 }
+
+func (g *UserGrant) HasInvalidRoles(validRoles []string) bool {
+	for _, roleKey := range g.RoleKeys {
+		if !containsRoleKey(roleKey, validRoles) {
+			return true
+		}
+	}
+	return false
+}